THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a flaw in the Linux Kernel, tracked as CVE-2026-31431, to its Known Exploited Vulnerabilities (KEV) catalog, with a CVSS score of 7.8. The vulnerability, nicknamed Copy Fail, enables a local unprivileged user to write four controlled bytes into the page cache of a readable file, potentially escalating to root on major distributions via AF_ALG and splice() techniques.
It is demonstrated to affect a range of distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, across kernel versions 6.12 to 6.18, and can even cross container boundaries. The exploit targets the /usr/bin/su binary, allowing the attacker to gain root privileges by injecting code into the cached memory of the setuid-root binary.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, CISA orders federal agencies to fix the vulnerability by May 15, 2026.